“Providers are increasingly turning to big tech companies to help their data mining efforts, according to an article at Bloomberg Businessweek.

Vendors such as Microsoft, SAS, IBM and Oracle are giving mounds of data the once-over in an analytics industry that generated more than $30 billion last year, according to research firm IDC. That figure is expected to grow to $33.6 billion in 2012–and healthcare is a leading customer.

The practice of data-mining, however, raises concerns. Hospitals have been criticized for mining patient data as a means to market to the most lucrative patients, for example. And data mining only exacerbates the concerns of patient advocates such as Deborah Peel, founder of Patient Privacy Rights, who recently told Forbes that people will avoid seeing doctors if they feel their information isn’t secure.”

Yes, the state of Health Information Exchanges (HIEs) in the US is depressing, because many don’t work well for patients or doctors. They enable hundreds or thousands of strangers who work for hospitals, insurers, health IT companies, etc to exchange, use, or sell our sensitive medical records without our consent.

The safe way to exchange health information is to use secure email and patient consent, this is called the “Direct Project”. See: http://directproject.org/ . It enables us to share our health information between two health professionals and email physicians. The Direct Project enables “participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.”

Patient Privacy Rights (PPR) endorses the “Direct Project” as the ONLY legal, ethical, and secure way for sensitive patient information to be exchanged. The public will not trust HIEs or national data exchange models unless patients control the disclosures of their sensitive health records.

A quote from the story below shows financial interests of Accountable Care Organizations (ACOs) can trump patients’ interests: “Some ACO providers are now blocking access to their data so competitors can’t get to it”—-that means doctors who are not part of the ACO but who treat ACO patients can’t see their test results and treatment records–even when these patients want them to have that information.

Some ACOs and other businesses view HIEs as vehicles to get more patient data, rather than as a means to serve patients’ needs for care coordination, to avoid duplicate tests, to ensure better treatment, or enable them to give consent for research use of their data.

Many corporations and businesses that HOLD patient data imagine they own it, so they use and sell it without patient consent. US law and medical ethics still require meaningful, informed patient consent before physicians or data holders can disclose anyone’s health information. “HIPAA compliance” actually does NOT get data holders off the hook for asking patients for consent before disclosing data. According to the HIPAA Privacy Rule, it’s “the floor” for data privacy protection, not the ceiling. 67 Fed. Reg. at 53,212 (August 14, 2002). HIEs designed to further business interests over patients’ interests will continue to fail, because the public will not support them.

It turns out that the only person who can easily, cheaply, and legally make patient data flow for all the right reasons (treatment, research), to all the right all the people (a specific doctor or researcher) at the right time is YOU.

Only you can tell an ACO to send your data to an outside clinician —- and the ACO must send it, whether it gives competitors an advantage or not. Only you can make your data “fluid”, because patients are the only people with clear, longstanding Constitutional, legal, and ethical rights to disclose personal health information.

In PPR’s recent comments about building a Nationwide Health Information Network (NwHIN), we urged the Office of the National Coordinator for Health IT (ONC) to address the fatal privacy and security flaws in current systems and state and federal data exchanges. We urged ONC to certify that HIEs and data exchanges protect privacy by verifying that only patients decide when/where personal data flows. “Multi-stakeholder” public-private governance at the state and federal level has failed to gain public trust. Public-private governance assures that industry, research, and government interests trump the public’s rights to health information privacy. See: http://tiny.cc/e1v0gw for more information.

From a major cybersecurity conference, “IT systems already are or will be compromised and security efforts must shift to detecting and mitigating compromises and protecting data in compromised systems.”

FLASH: Health data systems are just as compromised as those in every other sector of the economy and government, but it’s rarely mentioned. With the HIT and healthcare industries in denial, who will secure and protect the nation’s electronic health information?

At the same conference a solution was proposed, “the future of security and privacy in a world in which vulnerabilities and exploits are inevitable lies in protecting data through the use of metadata associated with policies that will let creators and owners control data.”

FYI: last year meta-tagging health data to protect privacy was proposed by the President’s Council of Advisors on Science and Technology (PCAST). PPR testified at the HIT Policy Committee in favor of meta-tagging health data. But the HIT and Healthcare lobbies killed it.

It’s back to business as usual: selling and using abysmal health IT systems and data exchanges without effective privacy or security protections — so healthcare corporations, hospitals, health plans, doctors, HIT companies, labs, pharmacies, etc can all use or sell our personal health data for discrimination and other purposes we would never agree to.

It’s time for Congress to support the Administration’s new Consumer Bill of Privacy Rights and put people in control of personal data online and in data systems by requiring robust, existing privacy and consent technologies or meta-tagging. Americans’ longstanding legal and ethical rights to health privacy must be restored so people are willing to participate in electronic health systems.

While voting remains open, the scores have remained fairly static over the past month showing a clear victory. Deborah Peel, MD has won the debate for Patient Privacy Rights, exposing the dangers of UPIs in electronic health record systems. If you have not already, you can still vote “No” to UPIs, and help protect patients, privacy, and progress toward patient-controlled electronic health records. If you are in the main article, voting takes place on the left side of the screen below the picture of Michael Collins. You can also use this direct link to vote after reviewing the full debate.

To dispel the myths of UPIs:

Trying to separate UPIs from financial records would be like trying to separate SSNs from everything they have been linked to, including medical records!

UPIs will give government, industry, data miners, and others greater ability to collect all health information on individuals. Imagine giving everyone a unique financial identifier that they would use for all credit cards, banks, retailers, and other financial institutions. Would you feel your money was secure?

A surprising amount of patients already do not trust a paper-based system, and fear for their privacy even more with expanding Health IT. Having a UPI takes away the idea of patient control and consent, creating one very easy and obvious way for anyone with the means necessary to look up a patient’s full health record. Patients will only accept a system they can control.

This story is about the fact that genetic testing companies sell people’s test results, compromising families’ and descendants’ future jobs and opportunities. “The NYTimes Ethicist” confirmed a questioner’s fears:

“As for the privacy issue, your concern is well founded. Many of these companies do use customers’ data for medical research or commercial applications, or they sell it to third parties whose interests you might never know. Legally they can’t do that without your consent, but the fine print on those consent forms goes by so quickly that it can be hard to follow.”

Americans’ lack of control over sensitive personal health information in electronic systems is a true national disaster. Not everyone knows this yet, but President Obama does.

He laid out an historic, tough new Consumer Privacy Bill of Rights to stop the data mining and data theft industries. The first principle is that of individual control: “Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Key quotes from the Administration’s new “Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”:

“Strong consumer data privacy protections are essential to maintaining consumers’ trust in the tech­nologies and companies that drive the digital economy.”

The President concluded, “It [privacy] has been at the heart of our democracy from its inception, and we need it now more than ever.”

The only way we can trust the Internet and have a vibrant global digital economy is if individuals control personal information online and in electronic systems. The right of informed consent before personal information is collected or used must be restored.

When will the health IT industry, Congress, and lawmakers across the US act to restore the right to privacy and control over personal information?

“The Obama Administration unveiled a “Consumer Privacy Bill of Rights” as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled. This initiative seeks to protect all Americans from having their information misused by giving users new legal and technical tools to safeguard their privacy. The blueprint will guide efforts to protect privacy and assure continued innovation in the Internet economy by providing flexible implementation mechanisms to ensure privacy rules keep up with ever-changing technologies. As a world leader in the Internet marketplace, the Administration believes the United States has a special responsibility to develop privacy practices that meet global standards and establish effective online consumer protection. ”

To read more about the proposed bill here are some additional resources:

The new EU standards for data privacy apply to health data and require the level of personal control over health data and informed consent that Americans expect from electronic health systems, but don’t have. US companies doing business in the EU will have to comply with these tough new privacy protections in a year or face penalties. If companies can build privacy-protective systems there, why not here?

Quote:

Companies doing business in the EU must prove “every subject has given consent for the processing of their data for specified purposes. Consent is defined as “any freely given specific, informed and explicit [emphasis added] indication of will,” and can be withdrawn at any time. The subject will also have a controversial “right to be forgotten and to erasure.” This means that when the subject withdraws consent or “the data are no longer necessary” for the purposes for which they were collected, the company must render the data inaccessible, including on the Internet.”

Americans feel the exact same way the European public feels; they too want ethics-based systems that comply with longstanding rights to health privacy.

Since US companies will have to comply with strong patient privacy rights in the EU, they could obviously do the same in the US. Unless the US builds in the same strong patient protections, research comparing electronic health records in the US and EU will be impossible.

The Administration should use the EU example to move forward and require US electronic systems and data exchanges be built to comply with Americans’ longstanding rights to control the use of personal health information.

The British Prime Minister proposes opening up and selling the health information of British citizens, ie copying the US model of data sales because he sees it’s worth tens-hundreds of billions in annual revenue to those in the US selling data. For at least the past decade, US industry has been violating Americans’ expectations and strong rights to health privacy by selling and using sensitive patient health information without consent, and without public awareness, much less, debate.

Prime Minister “[Cameron] sees no limit on the involvement of the private sector and says he wants it to be a ‘fantastic business’. In his desperation to develop a credible industrial strategy, he seems willing to put large chunks of our NHS up for sale.”

Roger Gross, from the pressure group Patient Concern, said that allowing private firms access to NHS data would mean “the death of patient confidentiality”.

“We understand GP surgeries will have the right to refuse to release their patients’ records, but whether patients will ever be told what is happening, let alone have the choice to protect their privacy, is still unclear,” Gross said.

“The future of your personal health information involves gigantic Internet-driven databases that connect you to doctors, health information and services no matter where you are and what time it is.

With a big push from President Obama, who wants secure electronic health records for every American by 2014, many health insurance companies, hospitals, private practices and pharmacies are already delivering some patient portals using these records as a backbone.

It’s the future of medicine, says Dr. Raymond Casciari, chief medical officer at St. Joseph Hospital in Orange, California, but for now, he adds, “We’re still in the dark ages.”

The portal approach is intended to be beneficial, letting you share key medical data instantly with your family and consult with specialists on another continent. It’s supposed to lower healthcare costs and provide better services. But the data being stored is sensitive and so far it isn’t very secure, say experts. So it’s important to know how your medical information is being shared and managed, especially as access explodes.

Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights, is dubious about patient medical privacy on portals. She believes that data breaches can have harmful effects, including medical discrimination. “Today, we can’t see who uses our electronic records,” she warns. “And they can be back-door mined.”…”

WASHINGTON, D.C. – On Friday July 8, 2011, Congressman Edward J. Markey (D-Mass.), co-chairman of the Congressional Bi-Partisan Privacy Caucus and senior member of the House Energy and Commerce Committee, introduced H.Res. 343, a resolution expressing disapproval of the recent Supreme Court decision in Sorrell v. IMS Health. In its decision, the Court struck down a Vermont state law that banned the sale of doctors’ drug prescriptions records if the records are used for commercial purposes without the doctors’ permission.

Rep. Markey’s resolution states that the Court erred in applying free speech protections to a Vermont law that lawfully regulated a purely commercial interest. Before the Vermont law was enacted, data-mining companies would purchase information about doctors’ prescription drug information from pharmacies and then resell the data to pharmaceutical companies. The pharmaceutical companies could use the information – without the doctors’ consent – for the commercial purpose of targeting their sales messages and marketing more expensive, brand-name drugs to physicians.

“In this case, the Supreme Court tipped the scales of justice in favor of big drug companies at the expense of patients and their doctors,” said Rep. Markey. “The privacy of the doctor-patient relationship should outweigh the ability of pharmaceutical companies to mine data simply so they can market expensive drugs to providers and reap huge profits. States should be able to regulate pharmaceutical companies in a way that protects the privacy of their residents and prevents pharmaceutical companies from having undue influence on doctors’ prescribing habits.”

Dissenting in the Supreme Court’s 6-3 decision, Justice Stephen Breyer wrote that the Vermont state law in question “adversely affects expression in one, and only one way. It deprives pharmaceutical and data-mining companies of data…that could help pharmaceutical companies create better sales messages.” The dissent, which was joined by Justices Ruth Bader Ginsburg and Elena Kagan, stated that the Vermont statute is a “lawful governmental effort to regulate a commercial enterprise…The far stricter, specially ‘heightened’ First Amendment standards that the majority would apply to this instance of commercial regulation are out of place here.”

Dr. Deborah Peel, a national health privacy expert and founder of the non-profit Patient Privacy Rights, praised the Markey resolution. “With a Supreme Court that stands up for the interests of pharmaceutical companies, it’s reassuring to know that Congressman Markey is looking out for patients and doctors who value the privacy of their prescription drug information.”